View previous topic :: View next topic |
Author |
Message |
spsarolkar n00b

Joined: 26 Jan 2018 Posts: 28
|
Posted: Fri Jan 26, 2018 6:07 am Post subject: Not able to connect to internet from qemu virtual machine |
|
|
I have Windows 10 guest setup on my gentoo host installation with below configuration
Code: |
<domain type='kvm'>
<name>ame=windows10</name>
<uuid>a2fa43c9-fa02-4a43-8668-172de1cd9bce</uuid>
<memory unit='KiB'>8388608</memory>
<currentMemory unit='KiB'>8388608</currentMemory>
<vcpu placement='static'>4</vcpu>
<os>
<type arch='x86_64' machine='pc-i440fx-2.10'>hvm</type>
<boot dev='hd'/>
</os>
<features>
<acpi/>
<apic/>
<vmport state='off'/>
</features>
<cpu mode='host-model' check='partial'>
<model fallback='allow'/>
</cpu>
<clock offset='utc'>
<timer name='rtc' tickpolicy='catchup'/>
<timer name='pit' tickpolicy='delay'/>
<timer name='hpet' present='no'/>
</clock>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
<pm>
<suspend-to-mem enabled='no'/>
<suspend-to-disk enabled='no'/>
</pm>
<devices>
<emulator>/usr/bin/qemu-system-x86_64</emulator>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='/mnt/share/vms/vir-mgr-images/vms-win10'/>
<target dev='vda' bus='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
</disk>
<disk type='file' device='cdrom'>
<driver name='qemu' type='raw'/>
<source file='/mnt/share/isos/Win10_1709_English_x64.iso'/>
<target dev='hda' bus='ide'/>
<readonly/>
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
</disk>
<disk type='file' device='cdrom'>
<driver name='qemu' type='raw'/>
<source file='/mnt/share/isos/virtio-win-0.1.141.iso'/>
<target dev='hdb' bus='ide'/>
<readonly/>
<address type='drive' controller='0' bus='0' target='0' unit='1'/>
</disk>
<controller type='usb' index='0' model='ich9-ehci1'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x7'/>
</controller>
<controller type='usb' index='0' model='ich9-uhci1'>
<master startport='0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0' multifunction='on'/>
</controller>
<controller type='usb' index='0' model='ich9-uhci2'>
<master startport='2'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x1'/>
</controller>
<controller type='usb' index='0' model='ich9-uhci3'>
<master startport='4'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x2'/>
</controller>
<controller type='pci' index='0' model='pci-root'/>
<controller type='ide' index='0'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
</controller>
<controller type='virtio-serial' index='0'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
</controller>
<interface type='bridge'>
<mac address='52:54:00:54:88:16'/>
<source bridge='br0'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
<serial type='pty'>
<target port='0'/>
</serial>
<console type='pty'>
<target type='serial' port='0'/>
</console>
<channel type='spicevmc'>
<target type='virtio' name='com.redhat.spice.0'/>
<address type='virtio-serial' controller='0' bus='0' port='1'/>
</channel>
<input type='mouse' bus='ps2'/>
<input type='keyboard' bus='ps2'/>
<graphics type='spice' autoport='yes' listen='0.0.0.0'>
<listen type='address' address='0.0.0.0'/>
<image compression='off'/>
</graphics>
<sound model='ich6'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
</sound>
<video>
<model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1' primary='yes'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
</video>
<redirdev bus='usb' type='spicevmc'>
<address type='usb' bus='0' port='1'/>
</redirdev>
<redirdev bus='usb' type='spicevmc'>
<address type='usb' bus='0' port='2'/>
</redirdev>
<memballoon model='virtio'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
</memballoon>
</devices>
</domain> |
I have network bridge setup on my gentoo host with below configuration
Code: | bridge_br0="enp3s0"
#config_br0="dhcp"
modules="!dhcpcd !udhcpc"
config_br0="192.168.0.11 netmask 255.255.255.0 brd 192.168.0.255"
routes_br0="default via 192.168.0.1"
dns_servers_br0="8.8.8.8 8.8.4.4"
#dns_servers_br0="8.8.8.8 8.8.4.4"
bridge_forward_delay_br0=0
bridge_hello_time_br0=1000
|
I am able to access internet from my host.
From guest I was earlier able to access the internet but recently I installed docker and that seems to have broken something on my machine. I tried uninstalling docker but problem persist.
My network configuration is as below
Code: | sunils@sunils-pc ~ $ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: bond0: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 0e:16:f3:74:48:46 brd ff:ff:ff:ff:ff:ff
3: eql: <MASTER> mtu 576 qdisc noop state DOWN group default qlen 5
link/slip
4: enp0s31f6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 9c:5c:8e:bb:77:90 brd ff:ff:ff:ff:ff:ff
5: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP group default qlen 1000
link/ether 9c:5c:8e:bc:3a:e0 brd ff:ff:ff:ff:ff:ff
inet6 fe80::9e5c:8eff:febc:3ae0/64 scope link
valid_lft forever preferred_lft forever
6: ip6_vti0@NONE: <NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/tunnel6 :: brd ::
7: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/sit 0.0.0.0 brd 0.0.0.0
8: ip6tnl0@NONE: <NOARP> mtu 1452 qdisc noop state DOWN group default qlen 1000
link/tunnel6 :: brd ::
9: br0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 9c:5c:8e:bc:3a:e0 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.11/24 brd 192.168.0.255 scope global br0
valid_lft forever preferred_lft forever
inet6 fe80::9e5c:8eff:febc:3ae0/64 scope link
valid_lft forever preferred_lft forever
10: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:4f:4b:5f brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
11: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000
link/ether 52:54:00:4f:4b:5f brd ff:ff:ff:ff:ff:ff
32: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN group default qlen 1000
link/ether fe:54:00:85:53:8c brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:fe85:538c/64 scope link
valid_lft forever preferred_lft forever |
Below is the screenshot the network configuration in windows 10
https://cdn.pbrd.co/images/H4FwoPd.png
For some reason windows picks up the subnet mask 255.255.0.0 I am exactly not sure from where it picks it up from.
I have already wasted one week on trying to find the solution. Can someone please help me regarding this
Please note that,
when I setup the ip configuration manually I am able to ping to my host and dns ip addresses but network resolution fails if I try pinging google.com
Below is the manual ip configuration
IP : 192.168.0.10
Subnet Mask: 255.255.255.0
Gateway: 192.168.0.1
DNS: 8.8.8.8, 8.8.4.4
Ping test from Windows 10 guest
https://i.stack.imgur.com/0oIAy.png[/url]
Last edited by spsarolkar on Fri Jan 26, 2018 6:56 am; edited 1 time in total |
|
Back to top |
|
 |
bbgermany Veteran


Joined: 21 Feb 2005 Posts: 1799 Location: Oranienburg/Germany
|
Posted: Fri Jan 26, 2018 6:47 am Post subject: |
|
|
Hi,
first; please use code tags next time.
second: do you have ip forwarding enabled on the host?
you should check this with
Code: |
cat /proc/sys/net/ipv4/ip_forward
|
It should show up "1" as result, otherwise its not enabled.
greets, bb _________________ 1st: i5-7400, 16GB, 2TB
2nd: i5-4570, 16GB, 620GB
3rd: i5-4570, 32GB, 14.5TB
4th: i5-3210M, 8GB, 512GB
5th: i5-3210M, 8GB, 120GB |
|
Back to top |
|
 |
spsarolkar n00b

Joined: 26 Jan 2018 Posts: 28
|
Posted: Fri Jan 26, 2018 6:52 am Post subject: |
|
|
Hi bbgermany,
Sorry just getting used to the editor, will surely mark the configuration in the code tags henceforth,
The ip_forward returns 1 please check it below
Code: | sunils@sunils-pc ~ $ cat /proc/sys/net/ipv4/ip_forward
1 |
|
|
Back to top |
|
 |
bbgermany Veteran


Joined: 21 Feb 2005 Posts: 1799 Location: Oranienburg/Germany
|
Posted: Fri Jan 26, 2018 10:05 am Post subject: |
|
|
You should have a look at the interfaces 10,11 and 32 on your list. Maybe these are interferring with the config for your guest.
greets, bb _________________ 1st: i5-7400, 16GB, 2TB
2nd: i5-4570, 16GB, 620GB
3rd: i5-4570, 32GB, 14.5TB
4th: i5-3210M, 8GB, 512GB
5th: i5-3210M, 8GB, 120GB |
|
Back to top |
|
 |
spsarolkar n00b

Joined: 26 Jan 2018 Posts: 28
|
Posted: Fri Jan 26, 2018 10:24 am Post subject: |
|
|
HI bb,
I tried deleting these interfaces, but no impact.
I even tried removing virtio alltogether and use simple qemu command to launch the vm
Code: | qemu-system-x86_64 --enable-kvm -cpu host -smp cores=4,threads=1 -boot d -cdrom ../virtio-win-0.1.141.iso -vga qxl -m 10G -drive file=./win10.img,format=qcow2 -machine type=pc,accel=kvm -net nic -net bridge,br=br0 -usbdevice tablet -device virtio-serial-pci -device virtserialport,chardev=spicechannel0,name=com.redhat.spice.0 -chardev spicevmc,id=spicechannel0,name=vdagent -smb /mnt/share/ |
New intefaces look like below
Code: | 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: bond0: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 0e:16:f3:74:48:46 brd ff:ff:ff:ff:ff:ff
3: eql: <MASTER> mtu 576 qdisc noop state DOWN group default qlen 5
link/slip
4: enp0s31f6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 9c:5c:8e:bb:77:90 brd ff:ff:ff:ff:ff:ff
5: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP group default qlen 1000
link/ether 9c:5c:8e:bc:3a:e0 brd ff:ff:ff:ff:ff:ff
inet6 fe80::9e5c:8eff:febc:3ae0/64 scope link
valid_lft forever preferred_lft forever
6: ip6_vti0@NONE: <NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/tunnel6 :: brd ::
7: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/sit 0.0.0.0 brd 0.0.0.0
8: ip6tnl0@NONE: <NOARP> mtu 1452 qdisc noop state DOWN group default qlen 1000
link/tunnel6 :: brd ::
9: br0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 9c:5c:8e:bc:3a:e0 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.11/24 brd 192.168.0.255 scope global br0
valid_lft forever preferred_lft forever
inet6 fe80::9e5c:8eff:febc:3ae0/64 scope link
valid_lft forever preferred_lft forever
44: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN group default qlen 1000
link/ether fe:e3:3d:7a:65:99 brd ff:ff:ff:ff:ff:ff
inet6 fe80::fce3:3dff:fe7a:6599/64 scope link
valid_lft forever preferred_lft forever |
in above tap0 is the interface autogenerated by qemu.
But I still get same damm issue. I tried reinstalling windows multiple times on seperate images I keep getting exact same default ip assigned with 255.255.0.0. subnet mask and even if I change the subnet mask to my router, I can succesfully ping to host, google dns servers , google ip addresses but dns resolution fails for google.com.
I get a feeling the issue is somewhere else in the os and not in the virtual machine network configuration.
Everything[/url] was working fine initially but few days back I installed the docker that seems to have broken things, but now even I uninstalled docker things are not getting normal. |
|
Back to top |
|
 |
bbgermany Veteran


Joined: 21 Feb 2005 Posts: 1799 Location: Oranienburg/Germany
|
Posted: Fri Jan 26, 2018 10:28 am Post subject: |
|
|
The IP you see is an APIPA address which you get, if no dhcp server answers requests. Do you have a working dhcp server in your network?
greets, bb _________________ 1st: i5-7400, 16GB, 2TB
2nd: i5-4570, 16GB, 620GB
3rd: i5-4570, 32GB, 14.5TB
4th: i5-3210M, 8GB, 512GB
5th: i5-3210M, 8GB, 120GB |
|
Back to top |
|
 |
spsarolkar n00b

Joined: 26 Jan 2018 Posts: 28
|
Posted: Fri Jan 26, 2018 10:44 am Post subject: |
|
|
bbgermany wrote: | Do you have a working dhcp server in your network? |
Currently there is no local dns server, but I can see the google dns servers can be pinged from Windows guest.
Last time I installed the dns server it interfered with my static ip address assigned by netifrc. Thats why its dhcp disabled in the /etc/conf.d/net. But I uninstalled it after that |
|
Back to top |
|
 |
bbgermany Veteran


Joined: 21 Feb 2005 Posts: 1799 Location: Oranienburg/Germany
|
Posted: Fri Jan 26, 2018 10:49 am Post subject: |
|
|
Not DNS (Domain Name System), DHCP (Dynamic Host Configuration Protocol). These are two different systems. The only point in commen is, that the dhcp server can provide a dns server entry for your ip configuration.
What does "nslookup www.google.com" gives you on your windows guest, when you setup a static ip address on the windows system?
greets, bb _________________ 1st: i5-7400, 16GB, 2TB
2nd: i5-4570, 16GB, 620GB
3rd: i5-4570, 32GB, 14.5TB
4th: i5-3210M, 8GB, 512GB
5th: i5-3210M, 8GB, 120GB |
|
Back to top |
|
 |
spsarolkar n00b

Joined: 26 Jan 2018 Posts: 28
|
Posted: Fri Jan 26, 2018 10:59 am Post subject: |
|
|
bbgermany wrote: | What does "nslookup www.google.com" gives you on your windows guest, when you setup a static ip address on the windows system? |
Here is the output https://cdn.pbrd.co/images/H4Hrtz5.png
Regarding DHCP server I seem to have dnsmasq installed. But I never knew it was there. Are you talking about the same?
I have DHCP server on router running at 192.168.0.1. thats the gateway I mentioned |
|
Back to top |
|
 |
spsarolkar n00b

Joined: 26 Jan 2018 Posts: 28
|
Posted: Sat Jan 27, 2018 3:05 pm Post subject: |
|
|
I finally found some clues, when I flush iptables everything works like a charm
There is some rule in my ip tables which is blocking the local traffic, I am very new to iptables so not able to identify which rule is causing the issue, below is the dump of all the rules
Code: | sunils@sunils-pc /var/log/samba $ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
FORWARD_direct all -- anywhere anywhere
FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere
FORWARD_IN_ZONES all -- anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere
FORWARD_OUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
OUTPUT_direct all -- anywhere anywhere
Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_public all -- anywhere anywhere [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_public all -- anywhere anywhere [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain FWDI_public (1 references)
target prot opt source destination
FWDI_public_log all -- anywhere anywhere
FWDI_public_deny all -- anywhere anywhere
FWDI_public_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain FWDI_public_allow (1 references)
target prot opt source destination
Chain FWDI_public_deny (1 references)
target prot opt source destination
Chain FWDI_public_log (1 references)
target prot opt source destination
Chain FWDO_public (1 references)
target prot opt source destination
FWDO_public_log all -- anywhere anywhere
FWDO_public_deny all -- anywhere anywhere
FWDO_public_allow all -- anywhere anywhere
Chain FWDO_public_allow (1 references)
target prot opt source destination
Chain FWDO_public_deny (1 references)
target prot opt source destination
Chain FWDO_public_log (1 references)
target prot opt source destination
Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_public all -- anywhere anywhere [goto]
Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain INPUT_direct (1 references)
target prot opt source destination
Chain IN_public (1 references)
target prot opt source destination
IN_public_log all -- anywhere anywhere
IN_public_deny all -- anywhere anywhere
IN_public_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW
Chain IN_public_deny (1 references)
target prot opt source destination
Chain IN_public_log (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destination |
Can someone please help me which rule I should be adding to allow the internet connection via bridge from guest. |
|
Back to top |
|
 |
Hu Moderator

Joined: 06 Mar 2007 Posts: 16479
|
Posted: Sat Jan 27, 2018 11:25 pm Post subject: |
|
|
Actually, that is not a dump of all rules. That is only a dump of the filter table. There are other tables, notably nat and mangle. Generally, if you need help with a netfilter problem, you should post the output of iptables-save -c, not the output of iptables -L. The latter defaults to hiding information that may be useful to us. |
|
Back to top |
|
 |
spsarolkar n00b

Joined: 26 Jan 2018 Posts: 28
|
Posted: Sun Jan 28, 2018 2:32 am Post subject: |
|
|
Hu wrote: | you should post the output of iptables-save -c, not the output of iptables -L. The latter defaults to hiding information that may be useful to us. |
Please find it below
Code: | sunils@sunils-pc ~ $ sudo rc-service iptables restart
* Loading iptables state and starting firewall ... [ ok ]
sunils@sunils-pc ~ $ sudo iptables-save -c
# Generated by iptables-save v1.4.21 on Sun Jan 28 08:04:50 2018
*nat
:PREROUTING ACCEPT [354:89200]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [30:4729]
:POSTROUTING ACCEPT [30:4729]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
[293069:88502969] -A PREROUTING -j PREROUTING_direct
[293069:88502969] -A PREROUTING -j PREROUTING_ZONES_SOURCE
[293069:88502969] -A PREROUTING -j PREROUTING_ZONES
[32338:5203134] -A OUTPUT -j OUTPUT_direct
[0:0] -A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
[0:0] -A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
[0:0] -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
[0:0] -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
[0:0] -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
[32358:5204222] -A POSTROUTING -j POSTROUTING_direct
[32358:5204222] -A POSTROUTING -j POSTROUTING_ZONES_SOURCE
[32358:5204222] -A POSTROUTING -j POSTROUTING_ZONES
[0:0] -A POSTROUTING -o enp3s0 -j MASQUERADE
[32358:5204222] -A POSTROUTING_ZONES -g POST_public
[32358:5204222] -A POST_public -j POST_public_log
[32358:5204222] -A POST_public -j POST_public_deny
[32358:5204222] -A POST_public -j POST_public_allow
[293069:88502969] -A PREROUTING_ZONES -g PRE_public
[293069:88502969] -A PRE_public -j PRE_public_log
[293069:88502969] -A PRE_public -j PRE_public_deny
[293069:88502969] -A PRE_public -j PRE_public_allow
COMMIT
# Completed on Sun Jan 28 08:04:50 2018
# Generated by iptables-save v1.4.21 on Sun Jan 28 08:04:50 2018
*mangle
:PREROUTING ACCEPT [6662821:18584686283]
:INPUT ACCEPT [6413110:18501564014]
:FORWARD ACCEPT [63327:8973327]
:OUTPUT ACCEPT [4312399:10283978911]
:POSTROUTING ACCEPT [4313819:10284216935]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
[6662821:18584686283] -A PREROUTING -j PREROUTING_direct
[6662821:18584686283] -A PREROUTING -j PREROUTING_ZONES_SOURCE
[6662821:18584686283] -A PREROUTING -j PREROUTING_ZONES
[6413110:18501564014] -A INPUT -j INPUT_direct
[63327:8973327] -A FORWARD -j FORWARD_direct
[4312399:10283978911] -A OUTPUT -j OUTPUT_direct
[4313819:10284216935] -A POSTROUTING -j POSTROUTING_direct
[6662821:18584686283] -A PREROUTING_ZONES -g PRE_public
[6662821:18584686283] -A PRE_public -j PRE_public_log
[6662821:18584686283] -A PRE_public -j PRE_public_deny
[6662821:18584686283] -A PRE_public -j PRE_public_allow
COMMIT
# Completed on Sun Jan 28 08:04:50 2018
# Generated by iptables-save v1.4.21 on Sun Jan 28 08:04:50 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [230:37454]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:OUTPUT_direct - [0:0]
[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
[6368283:18495942558] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[53:3180] -A INPUT -i lo -j ACCEPT
[44774:5618276] -A INPUT -j INPUT_direct
[44774:5618276] -A INPUT -j INPUT_ZONES_SOURCE
[44774:5618276] -A INPUT -j INPUT_ZONES
[16:640] -A INPUT -m conntrack --ctstate INVALID -j DROP
[44753:5617328] -A INPUT -j REJECT --reject-with icmp-host-prohibited
[0:0] -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
[0:0] -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
[0:0] -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
[72:4304] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -i lo -j ACCEPT
[63255:8969023] -A FORWARD -j FORWARD_direct
[63255:8969023] -A FORWARD -j FORWARD_IN_ZONES_SOURCE
[63255:8969023] -A FORWARD -j FORWARD_IN_ZONES
[63231:8967807] -A FORWARD -j FORWARD_OUT_ZONES_SOURCE
[63231:8967807] -A FORWARD -j FORWARD_OUT_ZONES
[0:0] -A FORWARD -m conntrack --ctstate INVALID -j DROP
[63231:8967807] -A FORWARD -j REJECT --reject-with icmp-host-prohibited
[0:0] -A FORWARD -i br0 -o enp3s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -i enp3s0 -o br0 -j ACCEPT
[0:0] -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
[4312399:10283978911] -A OUTPUT -j OUTPUT_direct
[63255:8969023] -A FORWARD_IN_ZONES -g FWDI_public
[63231:8967807] -A FORWARD_OUT_ZONES -g FWDO_public
[63255:8969023] -A FWDI_public -j FWDI_public_log
[63255:8969023] -A FWDI_public -j FWDI_public_deny
[63255:8969023] -A FWDI_public -j FWDI_public_allow
[24:1216] -A FWDI_public -p icmp -j ACCEPT
[63231:8967807] -A FWDO_public -j FWDO_public_log
[63231:8967807] -A FWDO_public -j FWDO_public_deny
[63231:8967807] -A FWDO_public -j FWDO_public_allow
[44774:5618276] -A INPUT_ZONES -g IN_public
[44774:5618276] -A IN_public -j IN_public_log
[44774:5618276] -A IN_public -j IN_public_deny
[44774:5618276] -A IN_public -j IN_public_allow
[3:180] -A IN_public -p icmp -j ACCEPT
[2:128] -A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Sun Jan 28 08:04:50 2018
sunils@sunils-pc ~ $
|
|
|
Back to top |
|
 |
bbgermany Veteran


Joined: 21 Feb 2005 Posts: 1799 Location: Oranienburg/Germany
|
Posted: Mon Jan 29, 2018 7:58 am Post subject: |
|
|
Hi,
it looks (according to the iptables output), there are still docker firewall rules left (like FWDO <- sound like FireWallDockerOut) installed. Maybe these are preventing your access to the internet from your qemu vm or did you set these rules manually?
greets, bb _________________ 1st: i5-7400, 16GB, 2TB
2nd: i5-4570, 16GB, 620GB
3rd: i5-4570, 32GB, 14.5TB
4th: i5-3210M, 8GB, 512GB
5th: i5-3210M, 8GB, 120GB |
|
Back to top |
|
 |
spsarolkar n00b

Joined: 26 Jan 2018 Posts: 28
|
Posted: Mon Jan 29, 2018 10:40 am Post subject: |
|
|
bbgermany wrote: | Maybe these are preventing your access to the internet from your qemu vm or did you set these rules manually? |
Of course not, I am new to iptables and did not yet setup any rules apart from those mentioned on qemu gentoo wiki https://wiki.gentoo.org/wiki/QEMU
Below are the rules that I did fired in the hope of making things work, but it didn't
root #iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE
root #iptables -A FORWARD -i br0 -o enp3s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
root #iptables -A FORWARD -i enp3s0 -o br0 -j ACCEPT
Can you please help me which commands should I run to remove the unrelavent rules or add any addon rules to allow traffic in local network? ...because when all iptables rules are on, I am not able to access my samba share as well as VNC server even from local network _________________ SunilS |
|
Back to top |
|
 |
bbgermany Veteran


Joined: 21 Feb 2005 Posts: 1799 Location: Oranienburg/Germany
|
Posted: Mon Jan 29, 2018 3:36 pm Post subject: |
|
|
spsarolkar wrote: | bbgermany wrote: | Maybe these are preventing your access to the internet from your qemu vm or did you set these rules manually? |
Of course not, I am new to iptables and did not yet setup any rules apart from those mentioned on qemu gentoo wiki https://wiki.gentoo.org/wiki/QEMU
Below are the rules that I did fired in the hope of making things work, but it didn't
root #iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE
root #iptables -A FORWARD -i br0 -o enp3s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
root #iptables -A FORWARD -i enp3s0 -o br0 -j ACCEPT
Can you please help me which commands should I run to remove the unrelavent rules or add any addon rules to allow traffic in local network? ...because when all iptables rules are on, I am not able to access my samba share as well as VNC server even from local network |
since you are running a bridged configuration, you wont even need those for access from your guest. the host and guest share the same subnet.
the init script of iptables save the rules to /var/lib/iptables/rules-save. you could try moving the file to another location and restart the iptables service (if you dont need a firewall at all).
greets, bb _________________ 1st: i5-7400, 16GB, 2TB
2nd: i5-4570, 16GB, 620GB
3rd: i5-4570, 32GB, 14.5TB
4th: i5-3210M, 8GB, 512GB
5th: i5-3210M, 8GB, 120GB |
|
Back to top |
|
 |
Hu Moderator

Joined: 06 Mar 2007 Posts: 16479
|
Posted: Tue Jan 30, 2018 4:42 am Post subject: |
|
|
That table is a mess. I think I see an explanation for your specific problem (assuming your kernel is also configured to apply netfilter to bridges - this is optional, so not everyone does). However, I think you need to review the whole setup.- You have many rules that reference virbr0, but the VM is not joined to virbr0. It is joined to br0. Therefore, rules that specify virbr0 fail to match traffic involving this VM.
- You bridged your physical NIC, but your netfilter rules still try to refer to it by name. These rules will fail to match, since traffic on a bridge uses the bridge name (but if you need to match on a specific physical interface, --physdev can be used).
- You have a catch-all reject rule in the FORWARD chain above other rules. Fortunately, those rules can never match anything anyway, so failing to reach them has no adverse impact here.
|
|
Back to top |
|
 |
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|